CARIN Code of Conduct

Medblocks supports the goals of the CARIN Trust Framework and follows a Code of Conduct aligned with its principles.

The code describes guidelines we follow and the rights we aim to protect. While voluntary, Medblocks adopts these principles to promote trust, privacy, and transparency for individuals accessing and sharing their health information.

Note: This page is informational and describes Medblocks’ commitments and practices. It is not legal advice.

Background and Overview

1. About the CARIN Alliance

The CARIN Alliance is a cross-industry coalition that includes patient and caregiver groups, providers, payers, technology companies, and other stakeholders. Its shared mission is to make it easier for individuals (and people authorized to help them) to digitally obtain their own health information and send it to applications they choose.

The Alliance works with public and private leaders to accelerate person-centered data access, especially via open, non-proprietary APIs encouraged by U.S. health IT policy. Its membership spans organizations operating across clinical care, claims, health information exchange, and consumer technology.

2. What “consumer-directed exchange” means

Consumer-directed exchange occurs when an individual uses their legal access rights (including rights under HIPAA, where applicable) to obtain a copy of their health information from a data holder and instructs that it be delivered to a third-party destination, such as a consumer-facing app.

Even with years of investment in electronic records and provider-to-provider exchange, consumer-directed exchange has not advanced as quickly. Common friction points include:

  • No universally adopted trust, privacy, and security expectations for consumer apps
  • Limited availability or adoption of technologies that support smooth consumer-directed workflows
  • Confusion about the policies that enable consumer access and routing
  • Organizational processes that slow or block consumer-directed sharing
  • Unclear or unsustainable economic models
  • Limited consumer awareness of available options

Why concerns come up

A frequent concern is that consumer apps may hold identifiable health data outside of HIPAA’s privacy/security requirements. However, consumer apps can still be accountable under other laws. For example, in the U.S., the Federal Trade Commission Act prohibits “unfair or deceptive” practices in commerce. In plain terms, a company may be held responsible if it misrepresents how it handles data or engages in practices that materially harm consumers. In addition, state privacy and consumer protection rules may also apply.

The “public promise” idea

A practical way to build trust is for apps to publicly commit to clear data-handling rules as part of onboarding/registration processes. When a company makes public commitments, enforcement bodies can evaluate whether the company acted consistently with those promises. The CARIN Code of Conduct exists to reduce uncertainty and set expectations for apps that handle consumer-directed health data.

The CARIN Alliance focuses on enabling two core flows:

  1. How an individual requests data via APIs, chooses where it goes, and understands how it will be used
  2. How a data holder sends that data electronically to the individual’s chosen destination

3. Right of Access vs. HIPAA Authorization

When an individual asks for their data to be sent to an application they choose, this is generally treated as a Right of Access request under the HIPAA Privacy Rule (when HIPAA applies). Additionally, when an app requests data at the direction of the individual, it can still be treated like a Right of Access request when the request:

  • is made through a personal health record context (an individual-controlled record that can combine data from multiple sources),
  • meets identity and authentication expectations (often mapped to levels like IAL2/AAL2),
  • clearly specifies where the data should be delivered, and
  • requests data from the current interoperability dataset expectations (e.g., USCDI)

By contrast, a HIPAA Authorization is commonly used when another party needs written permission to disclose data in situations where HIPAA does not otherwise allow disclosure (for example, outside treatment/payment/operations and outside the Right of Access).

4. Who this Code is for

This Code is relevant to:

  • Individuals, advocates, and caregivers who want to understand digital access and sharing choices
  • HIPAA covered entities and business associates involved in providing or supporting access
  • EHR vendors enabling documentation, workflows, and billing systems
  • Health Information Exchanges (HIEs) facilitating exchange across participants
  • Policymakers shaping health data access and interoperability
  • Non-covered entities building consumer technology and services for aggregation and analysis

5. CARIN Trust Framework purpose and phases

Goal: A voluntary, shared framework describing how consumer applications should treat health information that individuals direct to them.

How it’s organized: Commonly described as a phased approach:

  • Phase 1: Adoption of a Code of Conduct — apps commit to baseline expectations
  • Phase 2: Standardized disclosures — apps answer structured questions about privacy and security practices (often aligning with tools such as a model privacy notice), enabling consumers to compare options
  • Phase 3 (potential future): Independent assessments or certification programs that validate conformance to the Code and related criteria

6. Contributors to the Code

The CARIN Trust Framework was shaped by input from a wide range of organizations who care about consumer access and trusted exchange. For lists of participating organizations, see the CARIN Alliance membership information at their website.

7. Submitting feedback

The CARIN Alliance encourages ongoing feedback from the industry and the public. Comments are typically collected via the CARIN Alliance website and reviewed for future updates.

8. Putting the Code into practice

The Code is most useful when adopted by “data holders” and platforms that support app registration and consumer access, such as health plans, government programs, state agencies, providers, hospitals, EHR vendors, HIEs, and others implementing API-based access. Medblocks supports efforts to incorporate clear commitments into registration processes so individuals can make informed decisions about apps.

The Carin Code of Conduct

Background

This Code reflects widely recognized fair-information principles and common privacy/security best practices for consumer-directed exchange. The intent is to help individuals understand how their data is handled when they choose to use consumer-facing tools.

Scope

This Code applies to consumer-facing applications, services, and platforms offered in the United States that collect or process health information on behalf of individuals, whether or not the organization is regulated by HIPAA.

Medblocks commitment

When Medblocks collects, processes, or transmits health information at the direction of an individual, we commit to the following principles.

I. Transparency

We will be open about how data is handled so people can make informed choices. We will:

  • Maintain a clearly written, easy-to-find privacy policy in plain language
  • Describe what we collect, why we collect it, and how we store, protect, retain, delete, and share it
  • Explain if we use or share de-identified, anonymized, or pseudonymized data
  • Address situations where sharing could affect others (e.g., family history or genetic information)
  • Provide clear notices when policies or practices change
  • Use established resources (such as model privacy notice structures and questionnaires) to improve clarity
  • Explain whether data is accessed once or refreshed over time, and how users can change those choices where applicable
  • Explain what a user can and cannot change (including annotations) and whether downstream recipients see those changes or completeness warnings

We will ensure data sharing happens because the user chose it—not because of hidden defaults. We will:

  • Seek clear, affirmative permission before sharing data with third parties
  • Use separate opt-in permission for marketing-related uses involving identifiable health data (including cases where another individual is referenced in the record)
  • Follow applicable children’s privacy requirements where relevant
  • Notify users of meaningful privacy-policy updates and require acknowledgement where continued sharing depends on it
  • Provide a straightforward way to revoke permissions and explain what revocation changes
  • Allow the user to specify the destination for sending their health information whenever destination choice is part of the flow

III. Use & Disclosure

We will use data only for the purposes we communicated, and we will not disclose data without authorization. We will:

  • Require vendors/contractors to follow our privacy and security requirements through binding agreements
  • Prevent third parties from using data for undisclosed purposes without the user’s explicit permission
  • Collect only the data the user agreed to provide or retrieve
  • Handle data in ways that align with what a reasonable person would expect in the context it was provided

IV. Individual Access

We will support meaningful access and user control over their information. We will:

  • Provide a way for users to view the identifiable information we hold about them and request corrections where applicable
  • Explain how we handle data that may be incomplete, delayed, inaccurate, or outside our ability to validate
  • When a user requests deletion (and when legally/technically possible), securely erase identifiable data so it is not used or disclosed going forward

V. Security

We will protect health information with safeguards appropriate for sensitive, identifiable data. We will:

  • Use reasonable administrative, technical, and physical safeguards to reduce risks like loss, unauthorized access, tampering, or improper disclosure
  • Store and retain data using security practices appropriate for health information
  • Use layered protections such as encryption in transit and at rest, access controls, logging, contractual protections, and audits where appropriate
  • Follow applicable breach-notification obligations and provide meaningful remediation steps when issues occur
  • When requesting data on a user’s behalf, use strong identity and authentication approaches (e.g., portal credentials or digital identity assurance consistent with IAL2/AAL2 expectations) and clearly specify the delivery destination
  • Prohibit re-identification of de-identified data through internal rules and vendor commitments
  • Maintain a defined approach to dormant accounts (e.g., timeouts, re-verification, and access restrictions)

VI. Provenance

We will preserve the origin and change history of data when feasible. We will where practical, track and surface provenance information so users and authorized recipients can understand who supplied data, what changed, and when it changed

VII. Accountability

We will take responsibility for meeting these commitments and complying with applicable law. We will:

  • Comply with relevant federal and state requirements
  • Assign executive ownership for privacy and trust commitments
  • Provide a clear channel for complaints and respond in a timely manner
  • Train staff on these principles and review our practices periodically
  • Publicly disclose any relevant certifications or accreditations we obtain (including validity periods)

VIII. Education

We will help users understand the implications of sharing health information. We will provide or point to materials that explain choices, tradeoffs, benefits, and risks—so individuals can decide what is right for them

IX. Advocacy

We will work with others to expand safe, standardized access. We will collaborate with stakeholders to broaden the set of standardized, readily accessible health information available to consumers through secure, interoperable methods

Book a call

We're just one click away. Just pick a slot that suits you, and we'll handle the rest.

Booka Call